XML digital signature is one of the methods WebSphere Application
Server provides to secure your Web services. It provides message integrity
and authentication capabilities when used with SOAP messages.
Before you begin
Important: There is an important distinction between Version
5.x and Version 6.0.x and later applications. The information
in this article supports Version 5.x applications only that are used
with WebSphere Application Server Version 6.0.x and later. The information
does not apply to Version 6.0.x and later applications.
WebSphere
Application Server provides several different methods to secure your Web services;
XML digital signature is one of these methods. You can secure your Web services
by using any of the following methods:
- XML digital signature
- XML encryption
- Basicauth authentication
- Identity assertion authentication
- Signature authentication
- Pluggable token
About this task
XML digital signature provides both message integrity and authentication
capabilities when it is used with SOAP messages. A message receiver can verify
that attackers or accidents have not altered parts of the message after the
message was signed by a key. If a message has a digital certificate issued
by a certificate authority (CA) and a signature in the message is validated
successfully by a public key in the certificate, it is proof that the signer
has the corresponding private key. To use XML digital signature to secure
Web services, complete the following steps:
Procedure
- Define the security constraints or extensions. To configure
the security constraints, you must use and assembly tool. For more information,
see Assembly tools.
- Configure the client to digitally sign a message request.
To configure the client, complete the following steps to specify which
parts of the SOAP message to digitally sign and define the method used to
digitally sign the message. The client in these steps is the request sender.
- Specify the message parts by following the steps found in Configuring the client for request signing: digitally signing
message parts.
- Select the method used to digitally sign the request message. You can
select the digital signature method by following the steps in Configuring the client for request signing: choosing the digital
signature method.
- Configure the server to verify the digital signature that is
used in the message request. To configure the server, you must
specify which parts of the SOAP message, sent by the request sender, contain
digitally signed information and which method was used to digitally sign the
message. The settings chosen for the request receiver, or the server in this
step, must match the settings chosen for the request sender in the previous
step.
- Define the message parts by following the steps found in Configuring the server for request digital signature verification:
verifying message parts.
- Select the same method used by the request sender to digitally sign the
message. You can select the digital signature method by following the steps
in Configuring the
server for request digital signature verification: choosing the verification
method
- Configure the server to digitally sign a message response.
To configure the server, complete the following steps to specify which
parts of the SOAP message to digitally sign and define the method used to
digitally sign the message. The sender in these steps is the response sender.
- Specify which message parts to digitally sign by following the steps found
in Configuring the server
for response signing: digitally signing message parts.
- Select the method used to digitally sign the response message. You can
select the digital signature method by following the steps in Configuring the server for response signing: choosing the digital
signature method
- Configure the client to verify the digital signature that is
used in the message response. To configure the client, you must
specify which parts of the SOAP message sent by the response sender contain
digitally signed information and which method was used to digitally sign the
message. The settings chosen for the response receiver, or client in this
step, must match the settings chosen for the response sender in the previous
step.
- Define the message parts by following the steps found in Configuring the client for response digital signature verification:
verifying message parts
- Select the same method used by the response sender to digitally sign the
message. You can select the digital signature method by following the steps
in Configuring the
client for response digital signature verification: choosing the verification
method
- Define the client security bindings. To configure the
client security bindings, complete the steps in either of the following topics:
- Define the server security bindings. To configure the
server security bindings, complete the steps in either of the following topics:
Results
After completing these steps, you have secured your Web services using
XML digital signature.